在kubernetes环境下安装helm

helm简介

Helm 可以理解为 Kubernetes 的包管理工具,可以方便地发现、共享和使用为Kubernetes构建的应用。

Helm 采用客户端/服务器架构,有如下组件组成:

Helm CLI 是 Helm 客户端,可以在本地执行 
Tiller 是服务器端组件,在 Kubernetes 群集上运行,并管理 Kubernetes 应用程序的生命周期 
Repository 是 Chart 仓库,Helm客户端通过HTTP协议来访问仓库中Chart的索引文件和压缩包。 

1.Helm的三个基本概念

Chart:Helm应用(package),包括该应用的所有Kubernetes manifest模版,类似于YUM RPM或Apt dpkg文件 
Repository:Helm package存储仓库 
Release:chart的部署实例,每个chart可以部署一个或多个release

2.Helm工作原理 

Helm把Kubernetes资源(比如deployments、services或 ingress等) 打包到一个chart中,而chart被保存到chart仓库。通过chart仓库可用来存储和分享chart。Helm使发布可配置,支持发布应用配置的版本管理,简化了Kubernetes部署应用的版本控制、打包、发布、删除、更新等操作。

Helm包括两个部分,helm客户端和tiller服务端。

3.helm客户端

helm客户端是一个命令行工具,负责管理charts、reprepository和release。它通过gPRC API(使用kubectl port-forward将tiller的端口映射到本地,然后再通过映射后的端口跟tiller通信)向tiller发送请求,并由tiller来管理对应的Kubernetes资源。

4.tiller服务端

tiller接收来自helm客户端的请求,并把相关资源的操作发送到Kubernetes,负责管理(安装、查询、升级或删除等)和跟踪Kubernetes资源。为了方便管理,tiller把release的相关信息保存在kubernetes的ConfigMap中。 
tiller对外暴露gRPC API,供helm客户端调用。

安装

我们需要安装 Helm 客户端到本地,同时安装服务端 Tiller 到 Kubernetes 中

1、客户端安装:

下载相应的版本:https://github.com/kubernetes/helm/releases 
这里我下载的是helm-v2.9.1-linux-amd64.tar.gz 
解压 (tar -zxvf helm-v2.9.1-linux-amd64.tar.gz) 
把helm执行文件放置在: (mv linux-amd64/helm /usr/local/bin/helm)

2、服务器端安装:

初始化并验证 Helm,这样就会自动安装服务器端Tiller。 
注意:由于国内网络的问题,在安装 Tiller 的时候,需要下载镜像 gcr.io/kubernetes-helm/tiller:v2.9.1,很有可能会安装失败。所以我们这里使用阿里镜像来安装Tiller。

$ helm init --upgrade -i registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.9.1 --stable-repo-url https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts

Creating /home/luanpeng/.helm 
Creating /home/luanpeng/.helm/repository 
Creating /home/luanpeng/.helm/repository/cache 
Creating /home/luanpeng/.helm/repository/local 
Creating /home/luanpeng/.helm/plugins 
Creating /home/luanpeng/.helm/starters 
Creating /home/luanpeng/.helm/cache/archive 
Creating /home/luanpeng/.helm/repository/repositories.yaml 
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com 
Adding local repo with URL: http://127.0.0.1:8879/charts 
$HELM_HOME has been configured at /home/luanpeng/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
Happy Helming!

稍等一会,你就会发现服务端 Tiller 已经安装到我们的kubernetes 集群中了,并且作为Kubernetes Pod 服务运行在 kube-system 的 namespace 中

$ helm version
Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}



$ kubectl get pods --all-namespaces
...
kube-system   tiller-deploy-f9b8476d-q89lh            0/1       ImagePullBackOff   0          4m

 

如果 Tiller 安装失败,通过 helm version 命令会提示连接不到 Tiller。 

安装问题:

1. 缺少socat

[root@master ~]# helm version
Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"} E0814 15:50:10.763548 20622 portforward.go:331] an error occurred forwarding 41171 -> 44134: error forwarding port 44134 to pod 9c801acc204cc81fa350b172a9575c0932fea99ce8229a7bacefc75707cd60f6, uid : unable to do port forwarding: socat not found. Error: cannot connect to Tiller

解决方法:
在kubernetes集群的节点上安装socat

[root@master ~]# yum install socat
[root@master ~]# helm version
Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}

 

2. helm 跟kubectl 一样,从.kube/config 读取配置证书跟k8s通讯,先确保kubectl能够可用,否则出现以下错误:

[root@master ~]# helm version
Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}
Error: cannot connect to Tiller

3.RBAC权限问题,如果集群启用RBAC,会出现下面的问题:

[root@master helm]# helm list
Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

解决方法:
给tiller增加rbac权限:

a. 编辑控制rbac权限的manifest文件

首先创建sa,然后给sa绑定cluster-admin规则

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-cluster-rule
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system 

b.通过kubectl创建tiller的rbac权限

[root@master helm]# kubectl create -f helm-rbac.yaml 
serviceaccount "tiller" created
clusterrolebinding.rbac.authorization.k8s.io "tiller-cluster-rule" created

 

c.编辑 Tiller Deployment ,添加serviceAccount。Tiller Deployment名称为: tiller-deploy.

[root@master helm]# kubectl edit deploy --namespace kube-system tiller-deploy

 

插入一行 (serviceAccount: tiller) in the spec: template: spec section of the file:(如下标红字体)
...
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: helm
      name: tiller
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: helm
        name: tiller
    spec:
      serviceAccount: tiller
      containers:
      - env:
        - name: TILLER_NAMESPACE
          value: kube-system
        - name: TILLER_HISTORY_MAX
...

 

posted @ 2018-08-14 16:30  <Snooker>  阅读(377)  评论(0编辑  收藏  举报